This presentation describes Agile development practices as well as the requirements for building secure applications. It examines ways that teams can incorporate security into Agile development projects to successfully meet the goals of both.

1. Agile and Secure – Can We Be Both?
San Antonio AITP
August 15th, 2007

2. Agenda
• Background
• Evolution of traditional software development methodologies
• Benefits of Agile development
• Requirement for Secure development
• Agile and Secure
• Questions
1

3. Background
• Programmer b b k
P by background
d
– Both .NET and JEE: MCSD, Java 2 Certified Programmer
– Developer focused on security, not a security professional looking at
development
• Denim Group
– Software Development: .NET and JEE
NET
– Software / Application Security
• Vulnerability Assessments, Penetration Tests, Training, Mentoring
• Basis for this presentation:
– Work with our customers doing SDLC security mentoring
– Challenges facing our own agile development teams
g g g p
• Deliver projects in an economically-responsible manner
• Uphold security goals
2

4. Evolution of Traditional Software
Development Methodologies
p g
• Ad Hoc
• Waterfall
3

5. Ad Hoc Software Development
• Early days of computing
– Focus was on hardware
– Software was secondary
• No structure – “cowboy coding”
• Became unacceptable as software systems became larger and
more critical
4

6. Waterfall Software Development
• Treat software engineering as any structure engineering
process
• House building metaphor
5

7. Waterfall Software Development
Integration
Requirements Architecture Design Coding Deployment
Testing
6

8. Problems with Waterfall Model
• Creating software is different than creating bridges or buildings
– Creativity required throughout the process – not just at the outset
• Very documentation heavy
• Changes are expensive
– Must go back up the waterfall for impact analysis
• Business requirements change over time
– By the time you finish a system, the target has moved
7

9. Enter Agile Methods
Be more responsive to business concerns
Increase the frequency of stable releases
Decrease the time it takes to deploy new features
Do not waste time on “superfluous” documentation and
p
planning
g
8

10. Notable Agile Methods
• eXtreme Programming (XP)
• Feature Driven Development (FDD)
• SCRUM
• MSF for Agile Software Development
• Agile Unified Process (AUP)
• Crystal
9

11. Manifesto for Agile Software
p
Development
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
Source: http://www.agilemanifesto.org/
10

12. Agile’s Core Values
• Communication
C i ti
• Simplicity
• Feedback
• Courage
11

13. Principles of Agile Development
• Rapid Feedback
• The system is appropriate for the
intended audience
audience.
• Simple Design
• The code passes all the tests.
• Incremental Change • Th code communicates everything
The d i hi
it needs to.
• Embracing Change
• The code has the smallest number
of classes and methods.
• Quality Work
12

14. Agile Practices • Customer: scope, priorities
and release dates
• The Planning Game
• Developer: estimates
estimates,
consequences and detailed
• The Driving Metaphor scheduling
• Shared Vision
• On-Site Customer
• Development iterations or
• Small Releases cycles that last 1-4 weeks.
• Release iterations as soon
as possible (weekly, monthly,
quarterly).
13

15. More Agile Practices
• Collective Ownership
• Test Driven
• Continuous Integration
• Coding Standards
g
• Pair Programming
14

16. The Agile Practitioner’s Dilemma
Practitioner s
Agile Forces: Secure Forces:
Be more responsive to Comply with more
business concerns aggressive regulatory
Increase the frequency environment
of stable releases Focus on need for
Decrease the time it security
takes to deploy new Traditional approaches
features to security require
Do not waste time on additional
“superfluous” documentation and
documentation and planning (D’Oh!)
planning
15

17. Definition of Secure
A secure product is one that protects the confidentiality,
p p y,
integrity, and availability of the customers’ information, and the
integrity and availability of processing resources under control of
the s stem’s o ner or administrator
system’s owner administrator.
-- Source: Writing Secure Code (Microsoft com)
(Microsoft.com)
16

18. A Secure Development Process…
• Strives To Be A Repeatable Process
• Requires Team Member Education
• Tracks Metrics and Maintains Accountability
Sources:
“Writing Secure Code” 2nd Ed., Howard & LeBlanc
“The Trustworthy Computing Security Development Lifecycle”
by Lipner & Howard
y p
17

19. Secure Development Principles
• SD3: Secure by Design, Secure by Default, and in Deployment
• Learn From Mistakes
• Minimize Your Attack Surface
• Assume External Systems Are Insecure
• Plan On Failure
• Never Depend on Security Through Obscurity Alone
• Fix Security Issues Correctly
18

20. Secure Development Practices
• Threat Modeling / Architectural Risk Assessment
• Education, Education, Education
• Secure Coding
– Via standards and practitioner knowledge
• Security Reviews
– A hit t
Architecture
– Design
– Code
• Security Testing (Penetration Testing)
19

21. Microsoft s
Microsoft’s Secure Development Lifecycle (SDL)
• Requirements
• Design
• Implementation
• Verification
• Release
• (Waterfall!)
20

22. Dr.
Dr Dobb’s says Agile Methods Are Catching On
41% of organizations have adopted an agile
methodology
Of the 2,611 respondents doing agile…
p g g
• 37% using eXtreme Programming
• 19% using Feature Driven Development (FDD)
• 16% using SCRUM
• 7% using MSF for Agile S ft
i f A il Software DDevelopment
l t
Source: http://www.ddj.com/dept/architect/191800169
21

23. Agile Teams are “Quality
Infected”
• 60% reported increased productivity
• 66% reported improved quality
• 58% improved stakeholder satisfaction
22

24. Adoption Rate for Agile Practices
Of the respondents using an agile method…
• 36% have active customer participation
• 61% have adopted common coding guidelines
• 53% perform code regression testing
• 37% utilize pair programming
23

25. An Integrated Process
Making Agile Trustworthy
24

26. Project Roles
• Product Manager / Customer
• Program Manager / Coach
• Architect
• Developer
• Tester
• Security Adviser
25

27. Organization Setup
• Education & Training (include Security)
– Developers
– Testers
– Customers
• User Stories / Use Case Driven Processes
• Enterprise Architecture Decisions
• Organizational adoption of Threat Modeling
26

28. Project / Release Planning
• User Stories / Use Cases Drive…
– Acceptance Test Scenarios
– Estimations may affect priorities and thus the composition of the
release
– Inputs for Threat Modeling
p g
– Security Testing Scenarios
– Determine the qualitative “risk budget”
• Keep the customer involved in making risk tradeoffs
p g
• Finalize Architecture & Development Guidelines
– Common Coding Standards (include security)
• Crucial for collective code ownership
p
– Data Classification standards
– Conduct Initial Threat Modeling (assets & threats)
• Agree on STRIDE and DREAD classifications
– Designer’s Security Checklist
27

29. Iteration Planning
• 1-4 Weeks in Length (2 weeks is very common)
• B i with an It ti Pl
Begins ith Iteration Planning M ti
i Meeting
– User Stories are broken down into Development Tasks
– Developers estimate their own tasks
p
– Document the Attack Surface (Story Level)
– Model the threats alongside the user story documentation
• Crucial in documentation-light processes
documentation light
• Capture these and keep them
– Code will tell you what decision was made, threat models will tell
you why decisions were made
– Crucial for “refactoring” in the face of changing security priorities
• Never Slip the Date
– Add or Remove Stories As Necessary
28

30. Executing an Iteration
• Daily Stand-ups
• Continuous Integration
– Code Scanning Tools
– Security Testing Tools
• Adherence to Common Coding Standards and Security
Guidelines
– Crucial for communal code ownership
• Developer’s Checklist
29

31. Closing an Iteration
• Automation of Customer Acceptance Tests
– Include negative testing for identified threats
• Security Code Review
– Some may have happened informally during pair programming
30

32. Stabilizing a Release
• Schedule Defects & Vulnerabilities
– Prioritize vulnerabilities with client input based on agreed-upon STRIDE and
DREAD standards
t d d
• Security Push
– Include traditional penetration testing
31

33. Compromises We’ve Made
• Security Compromises:
– Short term, iterative focus removes “top down” control
– Focus on individual features can blind process to cross-feature security
issues
• Agile Compromises:
– More documentation than is required in pure Agile development
• Security coding standards
• Data classification standards
• Project-specific STRIDE and DREAD standards
• User story threat models
– Additional tasks increase development time
– Forces customers to accept security (isn’t this a good thing?)
32

34. Characteristics of an Agile and
Secure Process
• Customer-focused
C t f d
• Responsive
• Iterative
• Trustworthy
33

35. Questions
Dan Cornell
dan@denimgroup.com
(210) 572-4400
Website: www denimgroup com
www.denimgroup.com
Blog 1: www.agileandsecure.com
Blog 2: denimgroup.typepad.com
34